Friday, March 6, 2015

Critical Windows Processes - System Idle process

This "System Idle Process" is one of the critical processes to be aware of on Windows systems. Many times, malicious processes will have the same or similar names as legitimate processes, so it's important that we are able to differentiate between what's legit and what's not legit.

System Idle process

- This is not actually a true process as it is not tied to any user mode application, i.e. there is no "System Idle Process.exe" From the image seen above, there is no "path", "command line", "current directory", etc.- Uses PID 0- It's primary purpose is to keep the processor busy when no other thread is running- From the
graph below, at the time the snapshot was taken, this system was 21.5%
busy as the CPU usage for the System Idle Process is 78.25%

- Runs completely in kernel mode - Below we see that this process spends all its time in kernel mode and none
in user mode. While below shows thread 0, this is basically the same for the 3 other threads.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis